cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Uradi <jayapal.ur...@accelerite.com>
Subject Re: POLL: ACL default egress policy rule in VPC
Date Tue, 14 Nov 2017 05:12:52 GMT
Hi Rene,

Please look at my inline comments.
Let me add some context for the VPC egress/ingress rules behavior.

Pre 4.5 (subject to correction) the behavior of VPC acl is as follows.

1. Default egress is ALLOW and ingress is DROP.
   a.  When a rule is added to egress then that particular rule traffic is allowed and rest
is blocked in egress.
   b.  When a rule is added to ingress then that particular rule traffic is allowed and rest
is blocked in egress.

After 4.5 ACL lists and ACL items feature is introduced there we have ‘default allow’
and ‘default deny’ ACLs. User can also
create a custom acl. In ACL feature we can add mix of allow and deny rules and the ordering
of rules is maintained.

1.  when ‘default allow’ is selected while creating the vpc tier
    By default traffic is ALLOWED and rules can be added to ALLOW/DENY the traffic
   After adding the rules there will be ACCEPT at the end
2.  when ‘default deny’ is selected while creating the vpc tier
    By default traffic is DENY and rules can be added to DENY/ALLOW the traffic.
      After adding the rules there will be DROP at the end
3. If no ACL selected for the ACL then Pre 4.5 behavior will be there.
4. With custom acl default ingress is DROP and egress is ALLOW. User can add rules for allow/deny
rules.

If you see behavior other than above then there will be bug.

Currently in VPC egress behavior is controlled from the ACLs. If include  ‘egressdefaultpolicy’
then there will be confusion.

What I feel is that current VPC ACLs are flexible enough  to configure the required behavior.

Thanks,
Jayapal





> On Nov 13, 2017, at 11:17 PM, Rene Moser <mail@renemoser.net> wrote:
> 
> Hi Devs
> 
> The last days I fought with the ACL egress rule behaviour and I would
> like to make a poll in which direction the fix should go.
> 
> Short Version:
> 
> We need to define a better default behaviour for acl default egress
> rule. I see 3 different options:
> 
> 1. always add a default deny all egress rule.
> 
> This would be super easy to do (should probably also the intermediate
> fix for 4.9, see https://github.com/apache/cloudstack/pull/2323)
> 
> 
> 2. add a deny all egress rule in case if have at least one egress allow
> rule.
> 
> A bit intransparent to the user, but doable. This seems to be the
> behaviour how it was designed and should have been implemented.
> 
Currently we can configure the ACLs to get this behavior.
> 
> 3. use the default setting in the network offering "egressdefaultpolicy"
> to specify the default behavior.
> 
> There is already a setting which specifies this behaviour but is not
> used in VPC. Why not use it?
> 
> As a consequence when using this setting, the user should get more infos
> about the policy of the network offering while choosing it for the tier.
> 
> 
> Poll:
> 
> 1. []
> 2. []
> 3. []
> 4. [] Other? What?
> 
> 
> Long Version:
> 
> First, let's have a look of the issue:
> 
> In version 4.5, creating a new acl with no egress (ACL_OUTBOUND) rule
> would result in a "accept egress all":
> 
> -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state
> NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> 
> When an egress (here deny 25 egress) rule (no mather if deny or allow)
> gets added the result is a "deny all" appended:
> 
> -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state
> NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 25 -j DROP
> -A ACL_OUTBOUND_eth2 -j DROP
This is seen because default egress is drop and user added rule to deny port 25 traffic.
User has choice of adding allow/deny rules with priority number.
> 
> This does not make any sense and is a bug IMHO.
> 
> 
> In 4.9 the behaviour is different:
> 
> (note there is a bug in the ordering of egress rules which is fixed by
> https://github.com/apache/cloudstack/pull/2313)
> 
> The default policy is kept accept egress all.
> 
> -A PREROUTING -s 10.11.1.0/24 ! -d 10.11.1.1/32 -i eth2 -m state --state
> NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
> -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 80 -j ACCEPT

In 4.9 it is a bug. After accept rules there supposed to DROP all at the end.
> 
> 
> To me it looks like the wanted behavior was "egress all as default. If
> we have allow rules, append deny all". This would make sense but is
> quite instransparent.
> 
> But let's poll
> 
> 

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite,
a Persistent Systems business. It is intended only for the use of the individual or entity
to which it is addressed. If you are not the intended recipient, you are not authorized to
read, retain, copy, print, distribute or use this message. If you have received this communication
in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent
Systems business does not accept any liability for virus infected mails.
Mime
View raw message